* origin/topic/jsiwek/irc-orig:
Shorten what's displayed in the IRC's log mime_type column for DCC transfers
Add IRC unit tests.
Small tweak to IRC event handlder priorities
Fix IRC analyzer supplying wrong type to irc_dcc_message event.
Changes to IRC analyzer and events (addresses #469).
- Removed irc_client and irc_server events.
- Added is_orig arguments to all other irc events.
- Fix analyzer not recognizing Turbo DCC extension message format.
- Fix analyzer not generating irc_dcc_message event when irc_privmsg_message
event doesn't have a handler registered.
- Changes to IRC policy scripts to use the above changes.
- Fixing more vestiges from moving site.bro and removing functions.bro
- Updates comments on analysis-groups.bro
- Added the trim-trace-file script from broctl.
- Control framework is for runtime control of Bro instances.
It was extracted from BroControl and made more generic.
- Tests for cluster frameworks and control framework.
- Small fix for btest.cfg
- Fixed a bug in the cluster framework that was causing things to break.
- Scripts now use the full path for @load to remove the subpaths
from the shipped BROPATH.
- Some script sets have been reorganized to make optional loads
more obvious.
- It's ok to always load the framework. If you don't
specifiy the CLUSTER_NODE environment variable it doesn't
ultimately do anything.
- The $CLUSTER_NODE variable causes the framework to try and
load a script named cluster-layout.bro which must be located
somewhere in your $BROPATH. The value of the $CLUSTER_NODE
variable is a count that indicates a node in the Cluster::nodes
variable that is set in the cluster-layout.bro script.
- The Cluster::nodes variable is a flat configuration because
it's assumed that it would be automatically generated by a
utility such as BroControl. This will facilitate the tiered or
"deep" clustering that is coming.
It had some conceptual problems because notices aren't
always logged and in some cases are fairly infrequently
logged which resulted in a lot of notice tags being
attached to connections where the notice didn't show
up in a log file. Also, the rule of thumb here is that
frameworks should never load protocols. It's just bad
practice and probably indicates incorrect design somewhere.
The link between the conn log and the notice log should
now be made with the connections unique ID which is logged
in both logs and is more reliable.
* remotes/origin/topic/policy-scripts-new:
Fixed another SSL analyzer memory leak.
Attempting to fix another SSL bug.
Fixing a ref counting bug in the SSL analyzer that I just introduced.
Fixing memory leaks in SSL analyzer.
Fixed a parsing bug in the SSL analyzer thanks to tracefile from Aashish Sharma.
Removing my fix from earlier. This is indicating the script-land generated events priority problem.
Updates to the DPD framework.
Fixed a bug in the auth-addl DNS script.
Conflicts:
src/bro.bif
* origin/topic/robin/reporting:
Syslog BiF now goes through the reporter as well.
Avoiding infinite loops when an error message handlers triggers errors itself.
Renaming the Logger to Reporter.
Overhauling the internal reporting of messages to the user.
Updating a bunch of tests/baselines as well.
Conflicts:
aux/broccoli
policy.old/alarm.bro
policy/all.bro
policy/bro.init
policy/frameworks/notice/weird.bro
policy/notice.bro
src/SSL-binpac.cc
src/bro.bif
src/main.cc
- Removed the ProtocolViolation notice. I'd like to hear
if someone actually used that notice for something.
- Folded the dyn-disable functionality into the dpd/base script.
- Other small cleanup.
This is for testing only. There are also two test: one that checks
that test-all.bro loads correctly, and one that ensures that test-all
is actually loading all scripts found in policy/*.
- Fixed a pretty major eternal looping bug in the SSL analyzer and
a few other parsing problems.
- New core scripts and log for SSL connection analysis.
- New known-certs script for logging certificate assets.
- Fixed problem where notices were logged even if they
didn't have the ACTION_FILE action applied.
- New PolicyItem element, $halt. It's used for halting
the policy processing if a predicate returns T.
This replaces the ACTION_STOP action.
- Initial hacky email extension mechanism.
- Removed the IDMEF line. When that added back later
it will likely be done more modularly.
